Accepting request 614748 from home:iznogood:branches:network:vpn

New stable rel, fix CVS's

OBS-URL: https://build.opensuse.org/request/show/614748
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=112

strongswan-5.6.2.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e0a60a30ebf3c534c223559e1686497a21ded709a5d605c5123c2f52bcc22e92
-size 4977859

strongswan-5.6.2.tar.bz2.sig

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQGcBAABAgAGBQJaiq4/AAoJEN9CwXCzTbp3ps8L/0Q5o49SWOozYIGHLsO/9y3B
-0rXzGdKlkFyysTNBf8BlrUh6U21D5g9ENO8OFofOAaseTzOwN9uUygiHggfF9WhG
-p0vq9kiFtW6i7fYyK2hbfo1GzIPPP5T78dJqqzP3cQp21ycLHskZPMpytUkxn1rb
-vA1IFy74GIeMZqB9dbBIyTiXIPGrJjvjeuVAkI5XWu6+sOmHz/utYz17EF4oeTTg
-PYJ2mvGQvgZPWh2Y4Vh4riMXFr9RBF+I/aSJ/e0Q4yuwwc2+83TShGyuZQmSG3jI
-bMwnBkSGpT2KMIb0PtSzB7zvnll+Dosr3hyWNZ+MaqzIwQpo051IKF0ZaJSpoZnZ
-rKVUIMriTa+N4AFkYFC60pJAZ61xUw5Wm/LTfHckHm0n7qK9CzWv2oNj5jboTmw7
-tpx7F27+iDO0/DUaBXuqTDThBXElN+e7p2/GSTnw9Y3N5jWnmgVyZHkhxggNzf4G
-0W2UcEgNmpP0gbJ3U0BnKv3CN5VQuxBpz2K2tKiJwg==
-=L2B6
------END PGP SIGNATURE-----

strongswan-5.6.3.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c3c7dc8201f40625bba92ffd32eb602a8909210d8b3fac4d214c737ce079bf24
+size 4961579

strongswan-5.6.3.tar.bz2.sig

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQGcBAABAgAGBQJbC/V/AAoJEN9CwXCzTbp3xwsL/RivLwRDRkIDC93Le2B/d7dT
+/BHN/4PDmy+dEzysNVPXDG8TLm1VWgaIXvh0pVzPq4ohJSOP0tPFoeyJpHtPT9Xt
+x/VLnVlw2lNm70MZxXh1w9U6oEt8Sce9jtRJuEu54RhHBPcypNhNY1OsE1v8yeKf
+1MYENntcs/ATn7OkgtCALIB9WAZEFnXMQmpG+9hUzsr6zBfTY33t2QbsVeoiZAnV
+yTIRZQgilEAx9ZahjF1Vri1plUti8ZL/W9y0OnWt+/oOnXAx91NH2KgZ4qkAqtbg
+1H3nacKNHk6XP0Ca+wB4WIBmwDfquUEDTNbBPDaQy2yl33hzj9w2jovbSPF3YPnl
+TzY07K77OMK9r7YtxIa+diXs3GTh6vEe9E8mgRrQ96TXDCXCVvlQcTfEDmJ3z1ZC
+gk5blg7os5gAVKkdtEPChJP1VPJk2qhY8eZOCfdgIucv06YQKkj2aAcac+Umthne
+yS/qWZm8/LI6UII9Nf541o2KrlDd4ypoYOt0oibaoA==
+=NiPQ
+-----END PGP SIGNATURE-----

strongswan.changes

@@ -1,3 +1,96 @@
+-------------------------------------------------------------------
+Wed Jun  6 22:14:57 UTC 2018 - bjorn.lie@gmail.com
+
+- Update to version 5.6.3 (CVE-2018-10811, boo#1093536,
+  CVE-2018-5388, boo#1094462):
+  * Fixed a DoS vulnerability in the IKEv2 key derivation if the
+    openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated
+    as PRF. This vulnerability has been registered as
+    CVE-2018-10811, boo#1093536.
+  * Fixed a vulnerability in the stroke plugin, which did not check
+    the received length before reading a message from the socket.
+    Unless a group is configured, root privileges are required to
+    access that socket, so in the default configuration this
+    shouldn't be an issue. This vulnerability has been registered
+    as CVE-2018-5388, boo#1094462.
+  * CRLs that are not yet valid are now ignored to avoid problems
+    in scenarios where expired certificates are removed from new
+    CRLs and the clock on the host doing the revocation check is
+    trailing behind that of the host issuing CRLs. Not doing this
+    could result in accepting a revoked and expired certificate, if
+    it's still valid according to the trailing clock but not
+    contained anymore in not yet valid CRLs.
+  * The issuer of fetched CRLs is now compared to the issuer of the
+    checked certificate (#2608).
+  * CRL validation results other than revocation (e.g. a skipped
+    check because the CRL couldn't be fetched) are now stored also
+    for intermediate CA certificates and not only for end-entity
+    certificates, so a strict CRL policy can be enforced in such
+    cases.
+  * In compliance with RFC 4945, section 5.1.3.2, certificates used
+    for IKE must now either not contain a keyUsage extension (like
+    the ones generated by pki), or have at least one of the
+    digitalSignature or nonRepudiation bits set.
+  * New options for vici/swanctl allow forcing the local
+    termination of an IKE_SA. This might be useful in situations
+    where it's known the other end is not reachable anymore, or
+    that it already removed the IKE_SA, so retransmitting a DELETE
+    and waiting for a response would be pointless.
+  * Waiting only a certain amount of time for a response (i.e.
+    shorter than all retransmits would be) before destroying the
+    IKE_SA is also possible by additionally specifying a timeout in
+    the forced termination request.
+  * When removing routes, the kernel-netlink plugin now checks if
+    it tracks other routes for the same destination and replaces
+    the installed route instead of just removing it. Same during
+    installation, where existing routes previously weren't
+    replaced. This should allow using traps with virtual IPs on
+    Linux (#2162).
+  * The dhcp plugin now only sends the client identifier DHCP
+    option if the identity_lease setting is enabled (7b660944b6).
+    It can also send identities of up to 255 bytes length, instead
+    of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server
+    address is configured, DHCP requests are now sent from port 67
+    instead of 68 to avoid ICMP port unreachables (becf027cd9).
+  * The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one
+    containing a DH group that wasn't proposed) during
+    CREATE_CHILD_SA exchanges has been improved (#2536).
+  * Roam events are now completely ignored for IKEv1 SAs (there is
+    no MOBIKE to handle such changes properly).
+  * ChaCha20/Poly1305 is now correctly proposed without key length
+    (#2614). For compatibility with older releases the
+    chacha20poly1305compat keyword may be included in proposals to
+    also propose the algorithm with a key length (c58434aeff).
+  * Configuration of hardware offload of IPsec SAs is now more
+    flexible and allows a new setting (auto), which automatically
+    uses it if the kernel and device both support it. If hw_offload
+    is set to yes and offloading is not supported, the CHILD_SA
+    installation now fails.
+  * The kernel-pfkey plugin optionally installs routes via internal
+    interface (one with an IP in the local traffic selector). On
+    FreeBSD, enabling this selects the correct source IP when
+    sending packets from the gateway itself (e811659323).
+  * SHA-2 based PRFs are supported in PKCS#8 files as generated by
+    OpenSSL 1.1 (#2574).
+  * The pki --verify tool may load CA certificates and CRLs from
+    directories.
+  * The IKE daemon now also switches to port 4500 if the remote
+    port is not 500 (e.g. because the remote maps the response to a
+    different port, as might happen on Azure), as long as the local
+    port is 500 (85bfab621d).
+  * Fixed an issue with DNS servers passed to NetworkManager in
+    charon-nm (ee8c25516a).
+  * Logged traffic selectors now always contain the protocol if
+    either protocol or port are set (a36d8097ed).
+  * Only the inbound SA/policy will be updated as reaction to IP
+    address changes for rekeyed CHILD_SAs that are kept around.
+  * The parser for strongswan.conf/swanctl.conf now accepts =
+    characters in values without having to put the value in quotes
+    (e.g. for Base64 encoded shared secrets).
+- Rename strongswan-5.6.2-rpmlintrc to strongswan-rpmlintrc,
+  changing the version string on every version update makes no
+  sense.
+
 -------------------------------------------------------------------
 Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com
 

strongswan.spec

@@ -17,7 +17,7 @@
 
 
 Name:           strongswan
-Version:        5.6.2
+Version:        5.6.3
 Release:        0
 %define         upstream_version     %{version}
 %define         strongswan_docdir    %{_docdir}/%{name}
@@ -69,7 +69,7 @@ Requires:       strongswan-ipsec = %{version}
 Source0:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
 Source1:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
 Source2:        %{name}.init.in
-Source3:        %{name}-%{version}-rpmlintrc
+Source3:        %{name}-rpmlintrc
 Source4:        README.SUSE
 Source5:        %{name}.keyring
 %if %{with fipscheck}